Skip to main content
PATCH
/
v1beta1
/
cks
/
clusters
/
{id}
Update cluster
curl --request PATCH \
  --url https://api.coreweave.com/v1beta1/cks/clusters/{id} \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "id": "<string>",
  "version": "<string>",
  "updateMask": "<string>",
  "public": true,
  "auditPolicy": "<string>",
  "network": {
    "internalLbCidrNames": [
      "<string>"
    ]
  },
  "disableOidcInfoPublication": true,
  "kubelet": {},
  "additionalServerSans": [
    "<string>"
  ],
  "tailscale": {
    "clientId": "<string>"
  }
}
'
{
  "cluster": {
    "name": "<string>",
    "zone": "<string>",
    "vpcId": "<string>",
    "version": "<string>",
    "network": {
      "podCidrName": "<string>",
      "serviceCidrName": "<string>",
      "internalLbCidrNames": [
        "<string>"
      ],
      "serviceNodePortRange": {
        "start": 123,
        "end": 123
      }
    },
    "id": "<string>",
    "public": true,
    "oidc": {
      "issuerUrl": "<string>",
      "clientId": "<string>",
      "usernameClaim": "<string>",
      "usernamePrefix": "<string>",
      "groupsClaim": "<string>",
      "groupsPrefix": "<string>",
      "ca": "<string>",
      "requiredClaim": "<string>",
      "adminGroupBinding": "<string>",
      "signingAlgorithms": [
        "<string>"
      ]
    },
    "authzWebhook": {
      "server": "<string>",
      "ca": "<string>"
    },
    "authnWebhook": {
      "server": "<string>",
      "ca": "<string>"
    },
    "auditPolicy": "<string>",
    "apiServerEndpoint": "<string>",
    "createdAt": "2023-11-07T05:31:56Z",
    "updatedAt": "2023-11-07T05:31:56Z",
    "isUpgradeable": true,
    "disableOidcInfoPublication": true,
    "kubelet": {},
    "additionalServerSans": [
      "<string>"
    ],
    "tailscale": {
      "clientId": "<string>",
      "tailnetDomain": "<string>"
    },
    "status": "<string>"
  }
}
This method uses a field mask, provided in the updateMask field, to specify which fields to modify. When updateMask is omitted, all fields in the request body are updated. For more information on field masks, see the Google AIP-157 guidance. Required fields on every PATCH request body:
  • id
  • version
The following list of updateMask paths is derived from UpdateClusterRequest in the upstream proto and from the update_request.json fixture in the CKS API repository.
  • public
  • version
  • auditPolicy
  • oidc (and nested paths such as oidc.issuerUrl, oidc.clientId, oidc.ca)
  • authzWebhook (and nested authzWebhook.server, authzWebhook.ca)
  • authnWebhook (and nested authnWebhook.server, authnWebhook.ca)
  • network.internalLbCidrNames (append-only)
  • network.serviceNodePortRange
  • disableOidcInfoPublication
  • kubelet
  • additionalServerSans
  • tailscale
Example request
curl -X PATCH https://api.coreweave.com/v1beta1/cks/clusters/{id} \
       -H "Content-Type: application/json" \
       -H "Authorization: Bearer {API_ACCESS_TOKEN}" \
       -d @data.json

Example: upgrade a cluster’s Kubernetes version

To upgrade a cluster, set version to the new minor version and include version in updateMask. See Upgrade Kubernetes for the end-to-end procedure.
data.json
{
  "version": "v1.32",
  "updateMask": "version"
}

Authorizations

Authorization
string
header
default:Bearer {API_ACCESS_TOKEN}
required

CoreWeave API access token sent as a bearer token.

Path Parameters

id
string
required

The ID of the cluster to update.

Body

application/json
id
string
required

The unique identifier for the cluster to update.

version
string
required

The version of Kubernetes to run on the cluster, in minor version format (for example, v1.32). Patch versions are applied automatically by CKS as they are released.

updateMask
string<field-mask>

A field mask specifying which fields to update. When omitted, all fields in the request body are updated. See the PATCH operation documentation for the preliminary list of valid paths and Google AIP-157 for field-mask syntax.

public
boolean

Whether the cluster's api-server is publicly accessible from the Internet.

oidc
object

OpenID Connect (OIDC) configuration for authentication to the api-server.

authzWebhook
object

Authorization webhook configuration for the cluster.

authnWebhook
object

Authentication webhook configuration for the cluster.

auditPolicy
string

Audit policy for the cluster. Must be provided as a base64-encoded JSON or YAML string.

network
object

Mutable subset of the Kubernetes overlay network configuration. Only internalLbCidrNames and serviceNodePortRange may be updated.

disableOidcInfoPublication
boolean

When true, suppresses publication of the /.well-known/openid-configuration and /openid/v1/jwks endpoints to oidc.cks.coreweave.com/id/[CLUSTER-ID], so the cluster cannot be used as a public OIDC provider. Publishing these endpoints exposes the cluster's OIDC configuration and JWKS to the public Internet.

kubelet
object

A JSON object of selective overrides applied to every cluster Node's kubelet configuration. A Node reboot is required for changes to take effect. Unknown options are stored but ignored. See the Kubernetes kubelet configuration reference for supported options.

additionalServerSans
string[]

Up to 10 additional Subject Alternative Names to include on the Kubernetes API server certificate. Each entry must be unique.

tailscale
object

Tailscale configuration for the cluster.

Response

OK

cluster
object

The cluster.

Last modified on June 15, 2026